popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

kkkk.exe

Generic Malware UPX Malicious Library Downloader HTTP ScreenShot Create Service KeyLogger Internet API P2P DGA Hijack Network Http API persistence FTP Socket Escalate priviledges DNS Code injection PWS Sniff Audio Steal credential AntiDebug PE File AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Aug. 6, 2024, 9:08 a.m. Aug. 6, 2024, 9:12 a.m.
Size 8.5MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 95a0d897b91d497a0ca545c9ef3d2c37
SHA256 08ec2bbf9b90c71fcfb135214e597399d489cd623d5c71c9665278ad30a0a6a7
CRC32 1DB833EC
ssdeep 196608:3sKAtCQV1L/ybrQHnaNzMfVyaLByK2/oBQUCI4PU:3F61y3qa/MmwB4I1
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: 1 file(s) moved.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Set
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Parents=W
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: rlkInstalled
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Nl South Notice Forming Control Itsa Judge
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 'rlkInstalled' is not recognized as an internal or external command, operable program or batch file.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: sHbqCompressed
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Gods Usual Ace Schemes Medium Angry Art Bracket
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 'sHbqCompressed' is not recognized as an internal or external command, operable program or batch file.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: CuUsAvenue
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Chile Un Allow Challenge Sec Serves Tokyo Hampton
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 'CuUsAvenue' is not recognized as an internal or external command, operable program or batch file.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: AopCFirefox
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Cute Radius Sequence Inline Temporary
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 'AopCFirefox' is not recognized as an internal or external command, operable program or batch file.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: rcIHack
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Kissing Categories Architectural Demonstrate Excel Carter
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 'rcIHack' is not recognized as an internal or external command, operable program or batch file.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: MpLSuppose
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Constructed Glasgow Johnston
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 'MpLSuppose' is not recognized as an internal or external command, operable program or batch file.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Set
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Mall=1
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: xSMas
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Filename Facial Guam Bed
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 'xSMas' is not recognized as an internal or external command, operable program or batch file.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: wnyAFundamental
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Governing Equipped Robertson
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 'wnyAFundamental' is not recognized as an internal or external command, operable program or batch file.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: FlwSims
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Gamespot Organized Sentences Still Nights
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 'FlwSims' is not recognized as an internal or external command, operable program or batch file.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ceCertain
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Distributed Towns Three Valuation Selecting Radius Staff Deal
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 'ceCertain' is not recognized as an internal or external command, operable program or batch file.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: BhContests
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 'BhContests' is not recognized as an internal or external command, operable program or batch file.
console_handle: 0x0000000b
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007304c000
process_handle: 0xffffffffffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\762156\Jc.pif
cmdline "C:\Windows\System32\cmd.exe" /k move Developed Developed.cmd & Developed.cmd & exit
file C:\Users\test22\AppData\Local\Temp\762156\Jc.pif
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: cmd
parameters: /k move Developed Developed.cmd & Developed.cmd & exit
filepath: cmd
1 1 0
Time & API Arguments Status Return Repeated

Process32FirstW

 snapshot_handle: 0x0000000000000124
process_name: [System Process]
process_identifier: 0
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: System
process_identifier: 4
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: smss.exe
process_identifier: 224
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: csrss.exe
process_identifier: 304
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: wininit.exe
process_identifier: 352
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: csrss.exe
process_identifier: 360
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: winlogon.exe
process_identifier: 400
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: services.exe
process_identifier: 444
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: lsass.exe
process_identifier: 460
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: lsm.exe
process_identifier: 468
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: svchost.exe
process_identifier: 572
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: svchost.exe
process_identifier: 652
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: svchost.exe
process_identifier: 724
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: svchost.exe
process_identifier: 784
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: svchost.exe
process_identifier: 832
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: audiodg.exe
process_identifier: 900
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: svchost.exe
process_identifier: 992
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: svchost.exe
process_identifier: 292
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: spoolsv.exe
process_identifier: 324
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: svchost.exe
process_identifier: 1048
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: srvany.exe
process_identifier: 1284
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: KMService.exe
process_identifier: 1436
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: conhost.exe
process_identifier: 1448
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: taskhost.exe
process_identifier: 1600
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: sppsvc.exe
process_identifier: 1820
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: svchost.exe
process_identifier: 1896
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: dwm.exe
process_identifier: 1260
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: explorer.exe
process_identifier: 1452
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: pw.exe
process_identifier: 988
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: SearchIndexer.exe
process_identifier: 1160
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: SearchProtocolHost.exe
process_identifier: 936
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: SearchFilterHost.exe
process_identifier: 2000
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: mobsync.exe
process_identifier: 2280
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: pw.exe
process_identifier: 2324
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: taskhost.exe
process_identifier: 2492
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: kkkk.exe
process_identifier: 2644
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: cmd.exe
process_identifier: 2776
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: conhost.exe
process_identifier: 2812
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: WmiPrvSE.exe
process_identifier: 2960
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: Jc.pif
process_identifier: 2224
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000124
process_name: choice.exe
process_identifier: 2388
1 1 0
Bkav W32.AIDetectMalware
Elastic malicious (high confidence)
huorong Trojan/BAT.Agent.cv
CrowdStrike win/grayware_confidence_70% (D)
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
url http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url http://purl.org/rss/1.0/
url http://www.passport.com
description Create a windows service rule Create_Service
description Communications over RAW Socket rule Network_TCP_Socket
description Communication using DGA rule Network_DGA
description Match Windows Http API call rule Str_Win32_Http_API
description Take ScreenShot rule ScreenShot
description Escalate priviledges rule Escalate_priviledges
description Steal credential rule local_credential_Steal
description PWS Memory rule Generic_PWS_Memory_Zero
description Hijack network configuration rule Hijack_Network
description Record Audio rule Sniff_Audio
description Communications over HTTP rule Network_HTTP
description Communications use DNS rule Network_DNS
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description File Downloader rule Network_Downloader
description Match Windows Inet API call rule Str_Win32_Internet_API
description Install itself for autorun at Windows startup rule Persistence
description Communications over FTP rule Network_FTP
description Run a KeyLogger rule KeyLogger
description Communications over P2P network rule Network_P2P_Win
cmdline tasklist
Process injection Process 2776 resumed a thread in remote process 2224
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x0000001c
suspend_count: 0
process_identifier: 2224
1 0 0